If you’ve got a Western Digital My Cloud, you’d best hit the software update button and install the latest firmware upgrade. Security researcher James Bercegay says over a dozen different models have a hard coded back door that lets anyone log in using a specific username/password combination.
According to the researcher, the following models are affected:
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
Full details on the vulnerability are published at Gulftech’s website.
Bercegay says the issue arises because of “the misuse and misunderstanding of the PHP gethostbyaddr() function used within PHP, by the developer of this particular piece of code”. As a result, anyone can log in as user mydlinkBRionyg using abc12345cba as their password. That user account has admin access to the device.
Dlink had the same problem and patched the vulnerability back in 2014 but it seems WD have let this slide for quite some time. Bercegay notified WD last June with the bug going public last week.